Field widgets

Clicking on values in the Select Fields dialog (the field picker) or in the field value widgets underneath an event will again give us an option to append (add to) or exclude (remove from) our search, or as shown before, to start a new search.

For instance, if source=C:\Test Data\TM1ProcessError_20140623213757_temp.log appears under your event, clicking on that value and selecting Add to search will append source=C:\Test Data\TM1ProcessError_20140623213757_temp.log to your search:

To use the field picker, you can click on the All Fields link (see the following screenshot):

Expand the results window by clicking on > in the far-left column. Clicking on a result will append that item to the current search:

If a field value looks like key=value in the text of an event, you will want to use one of the field widgets instead of clicking on the raw text of the event. Depending on your event segmentation setting, clicking on the word will either add the value or key=value.

The former will not take advantage of the field definition; instead, it will simply search for the word. The latter will work for events that contain the exact quoted text, but not for other events that actually contain the same field value extracted in a different way.